Skip to main content

CWE-426

Untrusted Search Path

544 CVEs Avg CVSS 7.6 MITRE
17
CRITICAL
464
HIGH
50
MEDIUM
11
LOW
77
POC
2
KEV

Monthly

CVE-2026-48287 HIGH This Week

CAI Content Credentials is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

RCE C2Pa C2Pa Web C2Patool
NVD VulDB
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-48275 HIGH This Week

Illustrator is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

RCE Illustrator
NVD
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-48346 HIGH This Week

Arbitrary code execution in Adobe Animate 2023 and 2024 arises from an untrusted search path (CWE-426) flaw that lets a malicious file, when opened by a victim, load attacker-controlled code in the context of the current user. The issue was reported by Adobe (advisory APSB26-83), requires user interaction, and carries a CVSS 3.1 base score of 7.9 with a changed scope. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

RCE Adobe Animate 2023 Adobe Animate 2024
NVD
CVSS 3.1
7.9
EPSS
0.2%
CVE-2026-57097 MEDIUM PATCH Exploit Unlikely This Month

Untrusted search path in Microsoft XML allows an unauthorized attacker to bypass a security feature with a physical attack.

Authentication Bypass Microsoft Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +15
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-40945 HIGH This Week

Local privilege escalation in Siemens' IAM Client SDK, a shared authentication component bundled across a wide range of Siemens engineering and PLM products (Solid Edge, Teamcenter Visualization, Simcenter, Tecnomatix, COMOS, Designcenter NX), allows an authenticated local user to load attacker-controlled code through an untrusted search path (CWE-426) and gain elevated privileges. The flaw carries a CVSS 4.0 base score of 8.5 and requires only low local privileges with no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Comos V10 4 5 Comos V10 6 Designcenter Nx Simcenter 3D +12
NVD
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-6901 HIGH This Week

Local privilege/code manipulation in B&R Industrial Automation's APROL process control system (all versions before R 4.4-01P5) arises from an untrusted search path (CWE-426), allowing a low-privileged local user to plant a malicious executable or library that the application loads from an attacker-influenced directory. Successful exploitation yields high confidentiality and integrity impact on the affected engineering/operator station. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.4 (High).

Information Disclosure Aprol
NVD
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-46710 HIGH PATCH This Week

Local privilege escalation in the Notepad++ Windows installer (versions 8.9.4 through 8.9.5) lets an unprivileged local attacker gain the elevated privileges of the installer by planting a malicious powershell.exe. Because the installer calls powershell.exe by name (not absolute path) after setting the working directory to the installation contextMenu folder, a privileged user who installs into an attacker-writable custom directory triggers execution of the attacker's binary. No public exploit has been identified at time of analysis; the issue is fixed in 8.9.6 and corresponds to CWE-426 (Untrusted Search Path).

Privilege Escalation Notepad Plus Plus
NVD GitHub
CVSS 4.0
7.5
EPSS
0.1%
CVE-2026-53865 npm HIGH POC PATCH GHSA This Week

Untrusted search path execution in OpenClaw before 2026.5.2 allows a local low-privileged user to coerce maintenance task routines into invoking attacker-controlled executables in place of the intended trash command. By manipulating workspace-derived environment paths consumed during maintenance operations, an authenticated user can hijack command resolution and run arbitrary binaries in the OpenClaw process context. No public exploit identified at time of analysis, but VulnCheck has published a dedicated advisory describing the workspace-derived service path abuse.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-53858 npm HIGH POC PATCH GHSA This Week

Untrusted search path in OpenClaw before 2026.5.2 allows local attackers who can influence a workspace .env file to redirect bundled runtime dependency loading to attacker-controlled paths, resulting in arbitrary code execution during dependency resolution. The STATE_DIRECTORY environment variable is not validated before being used to anchor runtime dependency roots, so a poisoned workspace can execute code in the context of a user who opens it. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Code Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-53846 npm HIGH POC PATCH GHSA This Week

Untrusted search path in OpenClaw versions prior to 2026.4.29 lets workspace-local .env files override the npm_execpath variable consulted by the install helper, redirecting bundled dependency installation to an attacker-controlled package-manager binary. An attacker who can place files in the workspace can hijack the runtime dependency setup step to compromise the build environment under the developer's identity, with no public exploit identified at time of analysis.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
EPSS 0% CVSS 7.4
HIGH This Week

CAI Content Credentials is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

RCE C2Pa C2Pa Web +1
NVD VulDB
EPSS 0% CVSS 8.6
HIGH This Week

Illustrator is affected by an Untrusted Search Path vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

RCE Illustrator
NVD
EPSS 0% CVSS 7.9
HIGH This Week

Arbitrary code execution in Adobe Animate 2023 and 2024 arises from an untrusted search path (CWE-426) flaw that lets a malicious file, when opened by a victim, load attacker-controlled code in the context of the current user. The issue was reported by Adobe (advisory APSB26-83), requires user interaction, and carries a CVSS 3.1 base score of 7.9 with a changed scope. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

RCE Adobe Animate 2023 Adobe Animate 2024
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH Exploit Unlikely This Month

Untrusted search path in Microsoft XML allows an unauthorized attacker to bypass a security feature with a physical attack.

Authentication Bypass Microsoft Windows 10 Version 1607 +17
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Local privilege escalation in Siemens' IAM Client SDK, a shared authentication component bundled across a wide range of Siemens engineering and PLM products (Solid Edge, Teamcenter Visualization, Simcenter, Tecnomatix, COMOS, Designcenter NX), allows an authenticated local user to load attacker-controlled code through an untrusted search path (CWE-426) and gain elevated privileges. The flaw carries a CVSS 4.0 base score of 8.5 and requires only low local privileges with no user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Comos V10 4 5 Comos V10 6 +14
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege/code manipulation in B&R Industrial Automation's APROL process control system (all versions before R 4.4-01P5) arises from an untrusted search path (CWE-426), allowing a low-privileged local user to plant a malicious executable or library that the application loads from an attacker-influenced directory. Successful exploitation yields high confidentiality and integrity impact on the affected engineering/operator station. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.4 (High).

Information Disclosure Aprol
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local privilege escalation in the Notepad++ Windows installer (versions 8.9.4 through 8.9.5) lets an unprivileged local attacker gain the elevated privileges of the installer by planting a malicious powershell.exe. Because the installer calls powershell.exe by name (not absolute path) after setting the working directory to the installation contextMenu folder, a privileged user who installs into an attacker-writable custom directory triggers execution of the attacker's binary. No public exploit has been identified at time of analysis; the issue is fixed in 8.9.6 and corresponds to CWE-426 (Untrusted Search Path).

Privilege Escalation Notepad Plus Plus
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Untrusted search path execution in OpenClaw before 2026.5.2 allows a local low-privileged user to coerce maintenance task routines into invoking attacker-controlled executables in place of the intended trash command. By manipulating workspace-derived environment paths consumed during maintenance operations, an authenticated user can hijack command resolution and run arbitrary binaries in the OpenClaw process context. No public exploit identified at time of analysis, but VulnCheck has published a dedicated advisory describing the workspace-derived service path abuse.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH POC PATCH This Week

Untrusted search path in OpenClaw before 2026.5.2 allows local attackers who can influence a workspace .env file to redirect bundled runtime dependency loading to attacker-controlled paths, resulting in arbitrary code execution during dependency resolution. The STATE_DIRECTORY environment variable is not validated before being used to anchor runtime dependency roots, so a poisoned workspace can execute code in the context of a user who opens it. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Code Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH POC PATCH This Week

Untrusted search path in OpenClaw versions prior to 2026.4.29 lets workspace-local .env files override the npm_execpath variable consulted by the install helper, redirecting bundled dependency installation to an attacker-controlled package-manager binary. An attacker who can place files in the workspace can hijack the runtime dependency setup step to compromise the build environment under the developer's identity, with no public exploit identified at time of analysis.

Path Traversal Openclaw
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy